-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove nginx from response headers and error responses #406
Merged
kathap
merged 1 commit into
cloudfoundry:develop
from
sap-contributions:hide-use-of-nginx
Apr 29, 2024
Merged
Remove nginx from response headers and error responses #406
kathap
merged 1 commit into
cloudfoundry:develop
from
sap-contributions:hide-use-of-nginx
Apr 29, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We observed that the server name (Nginx) is leaked in the header and in the body of an error message. To enhance the security posture of the web application and mitigate the risk associated with information disclosure, it is strongly recommended to not share the server name and/or version in any response information. This does include any type of error messages. Solution: adjust NGINX sources by using sed to perform an in-place substitution of the server name before building nginx
kathap
added a commit
to cloudfoundry/capi-bara-tests
that referenced
this pull request
Apr 23, 2024
With capi-release PR cloudfoundry/capi-release#406 the server name will not be any more present in response headers. This PR adds a test to check the server name is not present in the response header.
kathap
added a commit
to cloudfoundry/capi-bara-tests
that referenced
this pull request
Apr 23, 2024
With capi-release PR cloudfoundry/capi-release#406 the server name will not be any more present in response headers. This PR adds a test to check the server name is not present in the response header.
moleske
approved these changes
Apr 29, 2024
assuming we'll close this draft version of this change |
kathap
added a commit
to cloudfoundry/capi-bara-tests
that referenced
this pull request
Apr 29, 2024
* Added a test to check if server name is not leaked With capi-release PR cloudfoundry/capi-release#406 the server name will not be any more present in response headers. This PR adds a test to check the server name is not present in the response header.
3 tasks
joaopapereira
added a commit
to joaopapereira/cf-cli
that referenced
this pull request
Jun 18, 2024
Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 Signed-off-by: João Pereira <[email protected]>
joaopapereira
added a commit
to joaopapereira/cf-cli
that referenced
this pull request
Jun 20, 2024
Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 Signed-off-by: João Pereira <[email protected]>
gururajsh
pushed a commit
to cloudfoundry/cli
that referenced
this pull request
Jun 20, 2024
* Ensure correct pool is being used for PRs * Use integration workflow directly from unit tests * Provide secret directly instead of using env variable * Remove check for Server header in curl request tests Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 * Change in response from UAA Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
joaopapereira
added a commit
to joaopapereira/cf-cli
that referenced
this pull request
Jun 20, 2024
Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 Signed-off-by: João Pereira <[email protected]>
gururajsh
pushed a commit
to cloudfoundry/cli
that referenced
this pull request
Jun 20, 2024
* Ensure correct pool is being used for PRs * Use integration workflow directly from unit tests * Provide secret directly instead of using env variable * Remove check for Server header in curl request tests Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 * Change in response from UAA Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
joaopapereira
added a commit
to joaopapereira/cf-cli
that referenced
this pull request
Jun 24, 2024
Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 Signed-off-by: João Pereira <[email protected]>
a-b
pushed a commit
to cloudfoundry/cli
that referenced
this pull request
Jun 28, 2024
* Ensure correct pool is being used for PRs * Use integration workflow directly from unit tests * Provide secret directly instead of using env variable * Remove check for Server header in curl request tests Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 * Change in response from UAA Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 * Revert min-capi tests introduction * Incorrect merge of cherry-pick Signed-off-by: João Pereira <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We observed that the server name (Nginx) is leaked in the header and in the body of an error message.
To bolster the security stance of the web application and reduce the likelihood of information exposure, it's highly advised to refrain from divulging the server's name and version in any response data, including error messages.
What the PR changes: adjust NGINX sources by using sed to perform an in-place substitution of the server name before building nginx (Found by @philippthun here)
With this change the server name does not appear any more in any response/error message.
I have viewed signed and have submitted the Contributor License Agreement
I have made this pull request to the
develop
branchI have run CF Acceptance Tests on bosh lite